Kuluoz is a known botnet which was released mid 2012 and was known by different names such as weelsof, win32, Dofoil, etc. Kuluoz is usually spread by sending suspicious mail to the target user, and later the traffic leaving the network consists of POST requests encoded in a unique format, making it difficult to determine the location of the host or their purpose.

Normally the malware is disguised as an attachment to an email. The attachment contains a file masquerading as a Word document that contains details about an online shopping invoice.

The Kuluoz Backdoor acts as gateway to bigger and more dangerous malware. Once it has infected a system, it leaves the system vulnerable to other forms of malware infections. The Kuluoz infection is usually part of a large phishing campaign that lures users to download malicious attachments. Once the computer is infected, the malware proceeds to communicate with its C&C servers. It then receives instructions to download other malware onto the host, such as FAKEAV and the Zero Access Trojan.

The communication between the C&C servers and the backdoor itself is encrypted. This makes it much harder to pinpoint the location of the servers. The C&C servers can make the malware do several things on the host machines, including update itself, modify registry keys, delete critical files, and steal files if required.

Kuluoz is a very common dropper that can very easily infect systems through mass email spam campaigns. The malware also attempts to steal several types of documents from a system, including Word, Excel and Power Point presentations.

Analysis

During execution of the malware, it was found that a Word document named Delivery-Information-ID-004588020234-Z31 was created by the sample.

The suspected file looks like a harmless Word document

Later the file was uploaded to Cuckoo Sandbox and it identified the IOC of the sample. The detection ratio was very high, so the file was confirmed as a malware.



As the sample is packed, we need to know what kind of packer is used to remain obfuscated. We can use many tools like Trid, PeiD, etc. to identify the packer. Here I have used a custom script to extract metadata like file size, sections, import tables, etc. from the file. Now the file may be packed using an encryption mechanism. In order to carry out further analysis, the files must first be decrypted.

The file seems to be packed using the UPX packer

Now the file is decrypted and need to execute the malware sample in our custom virtual environment. On running the file we will immediately see a notepad window popup with a strange message in it.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

notepad

Notepad shows a cryptic error message

The text file that is open is saved on the user’s desktop and has the same name as the name of the file itself, in this case Delivery-Information-ID-004588020234-Z31.txt.

Viewing the list of open processes in the system, it is found that a duplicate process called svchost.exe is executing and has spawned the Notepad window depicted above.

A fake svchost.exe is revealed

Svchost.exe is actually a normal Windows process, but in this case the malware attempts to mask its presence by taking the name of such a process.

While the malware is executing, the network traffic is monitored. Some traffic in the form of POST requests that are encoded in a unique format was detected to prevent us from finding out the actual data being sent out. The data is being sent to two external IP addresses.

Encoded POST requests leaving the system

At this point, a memory dump of the system was taken to perform memory analysis on the infected host. The first step is to find where in the memory the malicious file is residing. This is easily revealed using our memory analysis tool.

A quick memory scan reveals an embedded executable in a process

An embedded executable is found residing in the process called svchost.exe with a PID (Process ID) of 2316.

The memory dump is searched for artifacts that could indicate malicious software. This is done by looking for mutexes in the memory. The mutexes created by the malware begin with CTF and are followed by several long random characters.

A memory scan is then run on the process in question, revealing several http requests including the keywords “You fag!!”

Looking through the memory of the svchost process, it is found that a malicious dll has been injected into it. Finally the injected process is dumped so to perform further analysis on it.

Dll injected into svchost.exe

Malfind command dumps malicious code in normal processes

Examining the dumped files through a hex editor reveals several more instances of the Keyword “You Fag”.

This keyword is used as a key for encoding the communications that leave the infected host.

Key used to encode communications

The dump also reveals information on how the malware communicates with its C&C servers. It uses XML notation to send and receive commands. These commands are encrypted using the RC4 algorithm.

The URL path is hardcoded as “/index.php?r=gate”.

Dump showing XML request and hardcoded URL

The XML API used by the malware has several tags. The functions of the tags are listed below:

<knock> XML top element open
<id>%s</id> ID string
<group>%s</group> Group ID string
<time>%d</time> Negative timestamp
<version>%d</version> Hardcoded bot version
<status>%d</status> Status of last command
<debug>%s</debug> Environment information such as OS version, 64/32bit, firewall, antivirus
</knock> XML top element close

In conclusion, Kuluoz is a dangerous botnet which is spread via spam emails. Strong spam filters need to be deployed, which can reduce phishing and spam emails from reaching the victim’s inbox. Moreover, email servers need to be configured to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. As always, employees need to be trained not to open attachments unless they are expecting them, and monitoring network connectivity to the below IP address is also recommended.

  • 70.32.79.44
  • 91.208.144.158
  • 168.188.15.221
  • 184.106.191.157
  • 188.122.72.112
  • 220.67.211.23

References

www.symantec.com